Create account



CodeIgniter.com Twitter      


  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thread Modes
Validation prep_for_form

El Forum
Guest
 
#1
07-02-2007, 06:57 PM
[eluser]Aaron L.[/eluser]
Hello,

I am trying to submit my form to a function which validates my form before inserting it into the DB. In this function, I am attempting to use prep_for_form (documentation). The problem is, when I fill-in the form with something like "I'm", I still get an SQL error because the ' is there.

Here is my code:
Code:
$this->load->library('validation');

    //set the validation rules
    $rules['subject'] = "prep_for_form|required|xss_clean";
    $rules['message'] = "prep_for_form|required|xss_clean";
    $rules['to_nick'] = "trim|required|xss_clean";
            
    $this->validation->set_rules($rules);
            
    //set field names for validation error messages
    $fields['subject'] = 'Subject';
    $fields['message'] = 'Message';
    $fields['to_nick'] = 'To Nickname';

    $this->validation->set_fields($fields);
            
    if ($this->validation->run() == FALSE)
    {
        echo "Error";
    }
    else
    {  
                $this->db->query("INSERT INTO messages (subject, message) VALUES ('$subject','$message')");

                echo "SUCCESS!!";
    }

Do you know what's going on here? I'm stumped...

Aaron

El Forum
Guest
 
#2
07-02-2007, 07:24 PM
[eluser]Christopher Blankenship[/eluser]
htmlspecialchars? For converting the single quote.
Quote:Any native PHP function that accepts one parameter can be used as a rule, like htmlspecialchars, trim, MD5, etc.
from : http://www.ellislab.com/codeigniter/user...ation.html

El Forum
Guest
 
#3
07-02-2007, 08:04 PM
[eluser]coolfactor[/eluser]
I don't see where you're defining $subject and $message variables. Could that be part of the problem?

El Forum
Guest
 
#4
07-02-2007, 08:05 PM
[eluser]Rick Jolly[/eluser]
It is the job of the database library to escape sql.

Either use Active Record or query bindings and the sql will be escaped automatically.

Code:
// query bindings
$sql = "INSERT INTO messages (subject, message) VALUES (?,?)";
$this->db->query($sql, array($subject,$message));

// active record
$this->db->insert('messages', array('subject' => $subject, 'message' => $message));

El Forum
Guest
 
#5
07-02-2007, 08:47 PM
[eluser]Aaron L.[/eluser]
Thanks Rick! That is good to know. I've updated my code with an active record insert and it works fine. Thanks again!

El Forum
Guest
 
#6
07-02-2007, 08:48 PM
[eluser]Aaron L.[/eluser]
Also, thanks to everyone else for helping.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.